A signature of some data can mean many different things, such as: This is a message I sent, this is a certificate I validated,... So I was surprised that common signing schemes don't include a "purpose" parameter as part of the signature. In particular I didn't find such a parameter in the schemes from PKCS#1.

Other methods such as PBKDF2 include a way to include a purpose designation that prevents interactions between different applications. In the case of PBKDF2 the purpose is simply concatenated with the salt.

Why is there no such purpose designation of a signature?

This would make it possible to use a single private key for multiple purposes, as long as the same signature scheme (such as RSASSA-PSS) is used in all of them. It would also help if a key is reused for different purposes accidentally.

Are there any existing workarounds?

This was one of the first things I ran into when looking at digital signatures, so I'd expect other people to have had the same problem. I'd prefer reusing an existing scheme here, instead of inventing my own.

What kind of workaround would be possible?

My first instinct is to sign the result of HMAC(message, purpose) and make sure this is the only kind of data ever signed. Would this be secure?

BTW: I'm talking about a signature-only key used with a single signature scheme here, since I know that it's bad to use a single key with different schemes or for encryption+signature.

PBKDF2 does not contain a purpose designation. It is hinted that it could be part of the salt, but it isn't separate from the salt. Just like the answer of Thomas, the structure of the input is defined by the protocol, not the algorithm itself. It is defined at a higher level, in your case CMS (or XML Signature etc).
–
Maarten BodewesDec 29 '11 at 18:36

1 Answer
1

A signature algorithm operates over a sequence of bits -- any sequence of bits. The meaning you may want to attach to these bits is totally none of the business of the signature algorithm. It is supposed to be handled at some other level.

Basically you want to attach some meta-data to the signed object, and have that meta-data signed as well. The usual solution is to compute the signature over a structure which encodes the meta-data and contains the target message as well. See, for instance, the CMS standard. When a "document" is signed, it is wrapped in a SignedData structure which contains "attributes", e.g. a "Content Type". The signature is computed over an encoding of (some of) the attributes, one of them containing a hash of the document itself.